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Abstract — We develop an approach of key distribution protocol 
(KDP) proposed recently by T. Aono et al. A more general mathe- 
matical model based on the use of Variable-Directional Antenna 
(VDA) under the condition of multipath wave propagation is 
proposed. Statistical characteristics of VDA were investigated 
by simulation, that allows us to specify model parameters. The 
security of the considered KDP is estimated in terms of Shannon's 
information leaking to an eavesdropper depending on the mutual 
locations of the legal users and the eavesdropper. 

Antenna diversity is proposed as a mean to enhance the KDP 
security. In order to provide a better agreement of the shared 
keys it is investigated the use of error-correcting codes. 

I. Introduction 

The problem of key distribution is still in focus of research 
activity especially for wireless LAN systems. This is due to 
the severe resttiction of asymmetric (public key) cryptography 
WLAN implementation entailing a lower processing speed. 

In order to solve this problem, quantum cryptography JT| 
which allows eavesdropping detection within the key sharing 
procedure seems useful. However, this approach does not reach 
a practical level due to many technical problems, such as 
the requirement of special quantum devices. There are well 
known key distribution protocols (KDP) based on the presence 
of noise in both legal and illegal channels 0, 0, j4|. But 
even though the eavesdropper's channel is less noisy than the 
legal ones and the eavesdroppers is passive, it is necessary to 
have the knowledge of the eavesdropper's noisy power in order 
to guarantee a fixed level of key security. Unfortunately this 
condition cannot be taken for granted because an eavesdropper 
may be able to get some advantage at the cost of better receiver 
sensitivity, or a shorter distance of interception that it was 
considered by legal parties in the design of the secure KDP. 

The most basic assumption on the executed KDP is that the 
legal and illegal users have different locations, and this fact has 
to be verified by physical means. (For that matter, an existing 
special zone surrounding each legal user shall be assumed 
where the presence of an eavesdropper is not allowed.) 

If it is wanted to share a secret key by wireless communica- 
tion among legal users, it is necessary that one user generates 
some randomness and then to transmit it to its correspondent in 
such a way that it is effectively delivered to the legal recipient 
and any eavesdropper perceives either uncorrelated or weak 
correlated randomness. 



It is possible to provide non-unit correlation under the 
condition of multipatch wave propagation. Let us consider 
the following mathematical model of the channels between 
a source of randomness (the first legal user) and both the 
second legal user and the eavesdropper: rj = X)2=i 
( = X)"=i Ui£i> where £ = (fi),™ 1 is the vector randomness, 
x = (a;j) i _ 1 is the coefficient vector of the multipath propaga- 
tion to the second legal user, and y = (Uif^.-, is the coefficient 
vector of multipath propagation to the eavesdropper. Let us 
assume for simplicity E(£) — 0, then the following relation 
for the correlation coefficient of T) and £ results: 



u T R iV 



where R^ is correlation matrix of the random vector £. 

In a general case p(rj, £) < 1. Moreover if x and y are 
orthogonal, (e.g. (x, y) = 0) and = Id m , then p(r/, £) = 0. 

Common randomness results from fluctuation of the cannel 
characteristics due to communicating object motion. Such 
approach has been proposed in 0, 0. But it still entails 
another problem: it is easy to break the secret key under an en- 
vironment with small fluctuation of the channel characteristics 
or in the case when the communicating objects are stopped. In 
order to overcome these defects, a more sophisticated method, 
using smart antenna excited randomly by electronic means Q, 
has been proposed. However, the results presented in this paper 
were obtained experimentally and the investigation of KDP 
security performed incompletely is extended here. 

The goal of the current paper is thus to introduce a 
mathematical model and to present a theoretical investigation 
concerned with KDP security and reliability based on the 
use of a Variable-Directional Antenna (VDA). In order to 
justify the statistical characteristics of the VDA, we perform a 
simulation of a ring type VDA that is also excited randomly. In 
Section [TTJ we describe the conditions of the physical channel 
and we introduce an exact mathematical model of the KDP. 
The results of the VDA simulation are presented in Section |HI| 



Section IV contains an optimization of the KDP in order to 
provide both reliability and security. Finally we conclude the 
main results and present some open problems in Section [V] 
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Fig. 1. Scheme of the communication system corresponding to the KDP. 



II. KDP BASED ON MULTIPATCH WAVE PROPAGATION AND 
RANDOMLY EXCITED VDA 

The scheme of the communication system corresponding to 
the KDP is presented in Fig. [T] 

The KDP is described in the following steps: 

1) The legal user A forms the random antenna diagram by 
exciting the VDA with output of truly random generator 
(TRG) and fix this diagram for some given time interval 
[0, Tj] of the j-th key bit generation, j = 1, 2, . . . , n. 

2) A transmits to B a harmonic signal Sj(t) = coswrji, 
< t < Tj/2, with the beam pattern obtained at step 1 
over the multipath channel. 

3) B receives a harmonic signal from an omni-directional 
antenna (ODA) and forms the j-th key bit by comparing 
some functional computed with the received signal on 
the time [0,Tj/2] with a given threshold. 

4) The user B switches off its ODA in a regime of radiation 
and transmits the same harmonic signal Sj(t) = coswrji 
within the time interval Tj/2 < t < T r 

5) The user A switches off its VDA to a receiver and 
processes the received signal in the same manner as B 
did, forming the j-th key bit. 

6) A and B repeat n times the steps 1-5 with new and 
independent outputs of TRG in order to create the 
desired number of key bits. 

Thanks to the Reciprocity Theorem of radio wave propagation 
between uplink and downlink, the key sequences of A and B 
should be identical up to a random noise of receivers. Then 
the signal received by B at time Tj/2 can be expressed as: 



VijPij cos(woi + %), 



(1) 



where, with respect to the z-th ray at the j-th time interval, 
Pij is the channel attenuation coefficient, is the VDA 
amplitude gain, Oij is the VDA phase shift, including both 
phases in antenna diagram and phase shift in i-th ray, and m 
is the number of paths (rays). 

The signal received by E at time Tj/2 is: 



(2) 



where the primed parameters have the same meaning as the 
corresponding parameters in ([T} but in possession of E. (We 
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Fig. 2. The probabilty of the key bit disagreement between legal and illegal 
users depending on the correlation coefficient p. 



neglect initially the noise at the legal receivers, and we assume 
at all moment a noise absence at the eavesdropper E, in 
advantage with the legal users.) 

Later we will show that the probability distributions of the 
random values rjj and (j, which are produced by executing 
some functionals from both yj(t) and Zj(t) can have a good 
approximation by a zero mean Gaussian law. Then we prove 
that the probability of a bit disagreement between the j-th bit 
of the legal users and the eavesdropper key bits obtained by 
comparing them with a zero threshold is: 
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where p is the correlation coefficient between rjj and Q, 
a 2 = Var(^) = Var(£j). The dependence of p e versus p 
is presented in Fig. [2] We can see that in contrast to our 
intuition, the probability p e = 0.1 can be provided even when 
the correlation coefficient p has a significant value 0.95. 

In order to enhance the security of the legal user key string 
k shared after completion of the KDP it should be performed 
a privacy amplification [3|, |8|, [9], [10], or more specifically 
a mapping of the raw key string k to a shorter key string k of 
length I < n, using the so called hashing procedure k = h(k) 
taken from the universal class of hash functions ifTTl . Then 
the amount of Shannon's information leaking to E given her 
knowledge of the string k' satisfies 



J(k;k') 



< 



1 



an(2) 



(4) 



where t = n + nlog 2 {pi + (1 — p e ) 2 ) is the Renyi informa- 
tion under the assumption that the errors in the eavesdropper's 
key bits occur independently due to the independently gener- 
ated VDA on each of the j-th time intervals. Hence in order 
to select the parameter I we should calculate the correlation 
coefficient p depending on the mutual location of the legal 
user and the eavesdropper, the properties of VDA and the 
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Fig. 4. Channel model with 3-ray wave propagation. 



Fig. 3. Ring antenna with N identical radiators. 



characteristics of the multipath cannel. A solution for this 
problem will be presented in the next Section. 

III. Correlation between the values rjj and Q 

Let us consider as VDA the so called ring antenna (RA) 
shown in Fig. [3] having N identical isotropic radiators excited 
by their random phases. 

Then the complex instant antenna diagram can be presented 
by the well known formula IT2ll : 



N 



ikoRsin(8) cos 4> — 



2ns 



- iips 



(5) 

where ip s is a phase in the s-th radiator; fco = A is the 
length of the wave; R the radius of the RA; <\> is the angle in 
the azimuthal plane; and 9 is the angle in the vertical plane. 

Both instant amplitude and the phase antenna diagrams can 
be obtained from <[3j and they are random values providing 
random exciting to the RA. It would be possible to find 
theoretically different statistical characteristics of f(<j>, 9) but 
it is rather more easy to solve the same problem by simulation. 
Since the current paper is limited in space, we present only 
the main conclusions based on the simulations for the case of 
independent and uniformly distributed phases ip s on (0, 2n): 

• the probability distribution of the amplitude antenna 
diagram has a good approximation through the Rice law 
which can be approximated in its turn by a Gaussian non- 
zero mean law; 

• the probability distribution of the phase antenna diagram 
has a good approximation by an uniform law on the 
interval (0, 2ir). 

Next it is possible to compute theoretically the correla- 
tion coefficients between rjj and Q for different functionals 
producing them and to find their probability distributions by 
simulation. However, it is necessary to specify the channel 
model and the functional description. To be more specific, 
let us consider a 3-ray channel model and a location of 
eavesdropper on the line connecting legal users (Fig. Hh. 



We select two functionals of yj(t) and Zj(t) producing rjj 
and and the functionals are compared with some thresholds 
in order to obtain the key bit kj. The functionals are (see 
eq. (0): 

• envelope: [ij = \j ^% 1^% where [i Cj = 

Aij cos9 t j, (j, Sj = J2i=i Aij sinOij, Ay — Vijf3 l3 , 

• phase difference 



Aipj = ip 
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In a similar manner, there can be presented the corresponding 
functionals for eavesdropper: /j,'j , fi' c . , fi' s . , At/j'^ -. 

We will be interested in finding the probability distributions 
of all functionals and correlations between similar functionals 
of any legal user B and the eavesdropper E. Because it is very 
hard to compute these values theoretically, we will find them 
by simulation for some given channel parameters. 

Let us take l\ — 25m; h\ — 3m, /12 = 3m (distances to 
the first and to the second reflecting surfaces, respectively), 
N = 6, A = 12.5cm, R = A/2 (see Fig's. [3] and Assume 
that E is placed between legal users A and B within the interval 
(3-22)m. The results of simulation are presented in Fig. [5] The 
dependences of the correlation coefficients and rAi/>.Ai/j' 
versus distance A£ between the eavesdropper E and the legal 
user B are shown in Fig. |5ja) and Fig. |5|b). 

Since the correlation between the values Aipj and Ai// 
occurs less than the correlation between fij and fij (see Fig.|5]l, 
it is reasonable to select the phase difference functional in 
order to form m and compare it with zero threshold for the 
kj key bit generation. (In order to coincide phases of support 
generators at users A and B, it is possible to transmit a special 
pilot signal and to tune phases of both users at the initial stage 
of KDP.) 

In Fig. [6] there are presented empirical probability distribu- 
tions for these functionals. It is evident that both cases can 
be approximated by appropriated Gaussian distributions (see 
solid curves). Therefore the relation (|3} can be used to find 
the probability of disagreement between the key bits of the 
legal users and the eavesdropper. But before we address to 
eq. (HI) in order to calculate security of KDR it should be 
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Fig. 5. The dependence of correlation coefficients versus distances between 
legal user and eavesdropper, a) for envelope, b) for phase difference. 
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Fig. 6. Empirical probability distribution for chosen functionals. 



taken into account an opportunity for the presence of noise at 
the receivers of the legal users. 

IV. KDP OPTIMIZATION UNDER NOISY LEGAL CHANNEL 

From now on we remove our previous assumption that the 
multipath channel among legal users A and B is noiseless but 
keep such condition for eavesdropper's channel. (Obviously, 
the last assumption cannot degrade the security of KDP.) 

In this setting it is necessary to use some methods in order 
to correct disagreements in key bits of legal users. It is very 
reasonable to use firstly a selection of the most reliable key 
bits with a public discussion over a noiseless channel between 
legal users, and then to apply forward error correction codes 
(FEC) by sending of the check bits over the same noiseless 
channel. (It is worth to note that a noiseless public channel 
among legal users can be arranged by the choice of special 
regime, namely large signal power or omnidirectional antenna 
of the user A that we were unable to use for the execution of 
KDP.) The first method of the most reliable key bit selection 
is to take decision following the rule: 



kj — 



1 if rjj > a, 
if r/j < —a, 
erase otherwise, 



where rjj is the output of Ai/jj, and a a threshold. 

After a completion of the KDP including a production of 
the erased bits for both legal users it is necessary to mutually 
announce the numbers of these bits over public noiseless 
channels. In this case, the probability of a key bit disagreement 



between legal users and eavesdropper, given by ([3]), has to 
be corrected because an eavesdropper is able to intercept 
information about the numbers of accepted key bits over the 
public channel. We will take into account this fact later for the 
simulation procedure. The second method is to keep only the 
most reliable key bits, say M, and to remove the others. This 
means that the legal users form variation series of the values 
| rjj | on a decreasing order and next to keep (after mutual public 
discussion) the first M members of this series to generate 
the key bits. Of course in this case the probability of key bit 
disagreement p e is changed also against Q. 

Let us denote by p\ and p2 the probability of legal key 
bit errors after the first and the second method, respectively. 
Next we use an error-correcting code (n + r, no) sending a 
sequence of r check symbols over public noiseless channel in 
order to correct eventually errors in the key sequence. Then 
the probability of erroneous decoding P e( j by the modified 
Gallager's theorem is HUl: P ed < 2~ n ° E( - Rc \ where 

Po(2R c - 1) 



E(R C ) 
E (R) 



max 

p e(o,i 



Eo(p) 
Po-(l + po) log 2 



Rc 

pTT^ + (1 



Rc 



n +r ' 



and no is the number of bits kj which have been 
kept by legal users after erasing the unreliable bits following 
the first or the second procedures, and p is the error probability 
for the kept bits. In the case of check symbol sending, the 
Privacy Amplification Theorem against Q becomes iflOl : 

T(ic-\c'\ < - 

i\k.,k.)_ 2 «o-£-t-r ln (2)- 

KDP optimization problem is to get the maximum key rate 

7? - 1 1 
-fik — — — , 



no + n er n 

while n er is the number of erased symbols after the use of 
the method 1 or 2 and given the values I(k; k'), P e d, £, and 
different signal-to-noise ratio (S/N) at the receivers of the legal 
users. We solve this problem by simulation for the case of 
Gaussian noise at the legal receivers. 

In Tables [I] and [II] there are presented the results of such 
optimization for typical conditions for the first and the second 
method of unreliable bits removal, respectively, where P er is 
the probability of key bit erasing. 

We can see from these tables that the second method is 
for large correlation a little bit better than the first one. 
However both methods provide sufficiently reliable and secure 
key sharing if eavesdropper is placed on 3-2 lm away from 
legal user B and phase difference is used as key generating 
method (see Fig. |5jb)). A similar conclusion is drawn also 
for multipath channels with other parameters and locations of 
eavesdroppers. In order to enhance the security of the KDP, 
antenna diversity can be used when B has m omnidirectional 
antennas and he selects randomly one of them at each time 
period Tj to receive and transmit signal. Then the relation 
finding the Renyi information used in Q changes for: 

t = n + - log 2 (pi + (1 - p e f) . (6) 
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TABLE I 

Key rate maximization for the first method given 
J(k; k') = 10~ 9 bit, P ed = 10" 5 , S/N=100 and different p. 
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TABLE II 

Key rate maximization for the second method given 
Z(k; k') = 10~ 9 bit, P ed = 10 -5 , S/N=100 and different p. 



The relation (|6]l holds with the probability equal to the proba- 
bility of the event in which with at least of one of antennas a 
mutual location of the legal user and the eavesdropper is got 
such that p < p* , where p* is found by ^ given p e . 

We considered so far a scenario when an eavesdropper uses 
the same omnidirectional antenna as the legal user B. But 
E can execute directional antenna to separate all rays and 
to process the best of them or even apply joint processing 
to all of them. We have performed a simulation of the case 
with single ray separation and it has been shown that the 
correlation coefficient even decreases in comparison with one 
presented before. The case of joint processing of separated 
rays is noteworthy. But we can remark that even under the very 
strong condition in which the eavesdropper knows exactly all 
channel parameters both for E and B, there is still uncertainty 
about VDA gains in the direction of E and B. Therefore, 
generally speaking, the correlation coefficient occurs even in 
this case with a value less than one. 

V. Conclusion and future work 

We considered a method of key sharing based on the concept 
of a VDA under the condition of multipath channel and we 
showed that sufficient security and reliability of the shared 
keys can be provided even when the eavesdropper's channel is 
noiseless. The results of investigations show that the security 
of the KDP (in terms of Shannon's information leaking to 
eavesdropper) does not depend only on the distance between 



legal users and eavesdropper but also on the eavesdropper's 
location. This result somewhat contradicts to a very optimistic 
conclusion in Q. 

We propose to use the difference-phase functional instead 
of either quadrature components or envelope in order to form 
key bits. This approach results in less mutual correlation 
between legal user and eavesdropper and simplifies a choice 
of threshold. The key sequence k is i.i.d if VDA is excited 
by independent random phases and threshold is chosen in 
an appropriate manner. (This fact has been confirmed by 
simulation using statistical tests.) Our contribution consists 
also in the proof of relation <|3j which allows to connect the 
probability of disagreement between the key bits of legal users 
and eavesdropper with the correlation of corresponding values. 
Unfortunately, a limited space of the paper does not allow us 
to show all simulation results for different multipath channels 
and mutual location of legal users and eavesdroppers, which 
we have got at our disposition. 

In the future we are going to investigate: i) the use of 
multitone signals in the KDP, ii) the localization of optimal 
processing of the eavesdropper rays separation in order to 
provide the greatest correlation, iii) the use of real FEC and 
effective decoding algorithms with KDP (instead of extended 
Gallager's bounds); and, iiv) the use of other types of VDA 
(like ESPAR or others). 
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